PHP salt 和 hash SHA256 用于登录密码
声明:本页面是StackOverFlow热门问题的中英对照翻译,遵循CC BY-SA 4.0协议,如果您需要使用它,必须同样遵循CC BY-SA许可,注明原文地址和作者信息,同时你必须将它归于原作者(不是我):StackOverFlow
原文地址: http://stackoverflow.com/questions/20764031/
Warning: these are provided under cc-by-sa 4.0 license. You are free to use/share it, But you must attribute it to the original authors (not me):
StackOverFlow
PHP salt and hash SHA256 for login password
提问by Simon_says
I've made encrypting of the password in my register script and they are stored in the database, and I have to use them to login, so I would want to use the unencrypted ones to login. I've read some of the threads in here but nothing is helping me. How can I add it in my login.php? The salt is also stored in the database.
我在我的注册脚本中对密码进行了加密并将它们存储在数据库中,我必须使用它们来登录,所以我想使用未加密的登录。我已经阅读了这里的一些主题,但没有任何帮助。如何将它添加到我的 login.php 中?盐也存储在数据库中。
This is my register.php script for encrypting
这是我用于加密的 register.php 脚本
$hash = hash('sha256', $password1);
function createSalt()
{
$text = md5(uniqid(rand(), TRUE));
return substr($text, 0, 3);
}
$salt = createSalt();
$password = hash('sha256', $salt . $hash);
and this is my login.php with season
这是我的 login.php 与季节
//Create query
$qry="SELECT * FROM member WHERE username='$username' AND password='$password'";
$result=mysql_query($qry);
//Check whether the query was successful or not
if($result) {
if(mysql_num_rows($result) > 0) {
//Login Successful
session_regenerate_id();
$member = mysql_fetch_assoc($result);
$_SESSION['SESS_MEMBER_ID'] = $member['id'];
$_SESSION['SESS_FIRST_NAME'] = $member['username'];
$_SESSION['SESS_LAST_NAME'] = $member['password'];
session_write_close();
header("location: profile.php");
exit();
}
else {
//Login failed
//error message
}
else {
die("Query failed");
}
回答by andreas
These examples are from php.net. Thanks to you, I also just learned about the new php hashing functions.
这些示例来自 php.net。感谢您,我也刚刚了解了新的 php 散列函数。
Read the php documentation to find out about the possibilities and best practices: http://www.php.net/manual/en/function.password-hash.php
阅读 php 文档以了解可能性和最佳实践:http: //www.php.net/manual/en/function.password-hash.php
Save a password hash:
保存密码哈希:
$options = [
'cost' => 11,
];
// Get the password from post
$passwordFromPost = $_POST['password'];
$hash = password_hash($passwordFromPost, PASSWORD_BCRYPT, $options);
// Now insert it (with login or whatever) into your database, use mysqli or pdo!
Get the password hash:
获取密码哈希:
// Get the password from the database and compare it to a variable (for example post)
$passwordFromPost = $_POST['password'];
$hashedPasswordFromDB = ...;
if (password_verify($passwordFromPost, $hashedPasswordFromDB)) {
echo 'Password is valid!';
} else {
echo 'Invalid password.';
}
回答by anguswild
According to php.net the Salt option has been deprecated as of PHP 7.0.0, so you should use the salt that is generated by default and is far more simpler
根据 php.net,从 PHP 7.0.0 开始不推荐使用 Salt 选项,因此您应该使用默认生成的且更简单的 salt
Example for store the password:
存储密码的示例:
$hashPassword = password_hash("password", PASSWORD_BCRYPT);
$hashPassword = password_hash("password", PASSWORD_BCRYPT);
Example to verify the password:
验证密码示例:
$passwordCorrect = password_verify("password", $hashPassword);
$passwordCorrect = password_verify("password", $hashPassword);
回答by Ngend Lio
array hash_algos(void)
echo hash('sha384', 'Message to be hashed'.'salt');
Here is a link to reference http://php.net/manual/en/function.hash.php
回答by Herman
I think @Flo254 chained $saltto $password1and stored them to $hashedvariable. $hashedvariable goes inside INSERTquery with $salt.
我认为@Flo254 链接$salt到$password1并将它们存储到$hashed变量中。$hashed变量进入INSERT带有$salt.
回答by Nikunj
You couldn't login because you did't get proper solt text at login time. There are two options, first is define static salt, second is if you want create dynamic salt than you have to store the salt somewhere (means in database) with associate with user. Than you concatenate user solt+password_hash string now with this you fire query with username in your database table.
您无法登录,因为您在登录时没有获得正确的 solt 文本。有两个选项,第一个是定义静态盐,第二个是如果你想创建动态盐,那么你必须将盐存储在某个地方(意味着在数据库中)并与用户关联。比您现在连接用户 solt+password_hash 字符串,您可以在数据库表中使用用户名触发查询。
回答by Flo354
You can't do that because you can not know the salt at a precise time. Below, a code who works in theory (not tested for the syntaxe)
你不能这样做,因为你不能在精确的时间知道盐。下面是一个理论上有效的代码(未测试语法)
<?php
$password1 = $_POST['password'];
$salt = 'hello_1m_@_SaLT';
$hashed = hash('sha256', $password1 . $salt);
?>
When you insert :
插入时:
$qry="INSERT INTO member VALUES('$username', '$hashed')";
And for retrieving user :
并用于检索用户:
$qry="SELECT * FROM member WHERE username='$username' AND password='$hashed'";
